Method and system for providing restricted access to a storage medium

ABSTRACT

A method of restricting file access is disclosed wherein a set of file write access commands are determined from data stored within a storage medium. The set of file write access commands are for the entire storage medium. Any matching file write access command provided to the file system for that storage medium results in an error message. Other file write access commands are, however, passed onto a device driver for the storage medium and are implemented. In this way commands such as file delete and file overwrite can be disabled for an entire storage medium.

FIELD OF THE INVENTION

[0001] The present invention relates to data storage and moreparticularly to a method of providing restricted write access on a datastorage medium.

BACKGROUND OF THE INVENTION

[0002] In the past, operating systems restricted file access based onthree criteria. The first criterion relates to the physical limitationsof the storage device. For example, a CD-ROM drive only provides readaccess and therefore is restricted to read-only operation. The secondrelates to limitations of the storage medium. For example, a CD is aread-only medium, a CDR is a read/write medium but when a CD is full,the writer becomes a read-only medium, and so forth. The third relatesto file access privileges. For example, in the UNIX operating system afile is stored with a set of access privileges including read and writeprivileges. Some files are read only and others are read/write and soforth.

[0003] Unfortunately, these access privileges fail to adequately provideprotection for archival storage devices such as magnetic tape orremovable optical media.

[0004] An example of a popular operating system is Windows NT®. UsingWindows NT®, device drivers are hidden from applications by a protectedsubsystem implementing a programming and user interface. Devices arevisible to user-mode programs, which include protected subsystems, onlyas named file objects controlled by the operating system input/output(IO) manager. This architecture limits an amount of knowledge necessaryto implement device drivers and applications. In order to providereasonable performance, the two separated systems, device drivers andapplications, operate independently.

[0005] For example, when a write operation is requested by anapplication, the request is made via a file object handle. Theapplication does not actually communicate with the storage device nordoes the device driver for that storage device communicate with theapplication. Each communicates with the operating system independently.Thus, when the write command is issued for writing data to a device, thedata is stored in buffer memory while the destination device is beingaccessed. A successful completion status is provided to the application.When the destination storage device is available, the stored data iswritten to the destination storage device. When the storage device isunavailable or fails to support write operations, the data is notsuccessfully written. An error message may result, but will not bedirected toward the application since it is not known to the devicedriver or is inaccessible. For example, the application may haveterminated before the error occurs. Alternatively, no error messageresults and when the buffer is flushed or when the system is rebooted,the data is lost. Neither of these results is acceptable in normalcomputer use.

[0006] Fortunately, most devices are easily verified as to theircapabilities. Read only devices are known as are read/write devices.Because a CD-ROM drive never becomes a read/write device, it is easilymanaged. When a device supports both read/write media and read onlymedia the problem becomes evident.

[0007] In order better to highlight the problem, an example ispresented. When a hard disk is full, accessing a file results inupdating of file information relating to a last access date and soforth, journaling. File access information is updated each time a fileis retrieved. The information requires no extra memory within the harddisk and therefore, the status of the hard disk, full or available diskspace, is unimportant since the new file access information overwritesprevious file access information. Thus, the file system writes tostorage media even when full, so long as the capability of doing soexists.

[0008] When an archive data store is used with a data store device, itis often desirable that it not be written to. Therefore, accessing afile requires that the file access information is not updated—journalingis not performed. Unfortunately, when the data store device is accessedvia a read/write file object handle, updating of the file accessinformation is performed by the file system. As such, the data store isaltered even when this is not desired. Further, since a single datastore device accepts any number of different data stores during a periodof time when the file system is in continuous operation, it isimpractical if not impossible to remount the data store device with anew data store device driver and a new file object handle whenever theread/write privileges change. Currently, there is no adequate solutionto overcome this problem.

[0009] In an attempt to overcome these and other limitations of theprior art, it is an object of the present invention to provide a methodof limiting access privileges for a storage medium that supportsincreased flexibility over those of the prior art.

SUMMARY OF THE INVENTION

[0010] In accordance with the invention there is provided a method ofproviding restricted access to a storage medium in communication with acomputer comprising the step of:

[0011] executing a file system layer on the computer, the file systemlayer supporting a plurality of file system commands;

[0012] executing a trap layer on the computer, the trap layer logicallydisposed above the file system layer;

[0013] providing to the trap layer at least a disabled file systemcommand relating to the storage medium and supported by the file systemfor the storage medium;

[0014] intercepting data provided to the file system layer including anintercepted file system command;

[0015] comparing the intercepted file system command to each of the atleast a disabled file system command to produce at least a comparisonresult; and,

[0016] when each of the at least a comparison result is indicative ofother than a match, providing the intercepted file system command to thefile system layer.

[0017] In some embodiments an application layer is in executionlogically above the trap layer such that the trap layer is logicallydisposed between the application layer and the file system layer; andwhen a comparison result from the at least a comparison result isindicative of a match, providing an error indication to the applicationlayer. Preferably, the error indication is provided from the trap layer.

[0018] In accordance with the invention there is further provided amethod of restricting access to a storage medium in communication with acomputer, the method comprising the step of:

[0019] executing a file system layer on the computer, the file systemlayer supporting a plurality of file system commands;

[0020] providing to the file system layer at least a disabled filesystem command for the storage medium, the disabled file system commandsupported by the file system for the storage medium, the at least adisabled file system command being other than all write commands, otherthan all read commands, and other than all write commands and all readcommands;

[0021] comparing file system commands provided to the file system layerto each of the at least a disabled file system command to produce atleast a comparison result; and,

[0022] when each of the at least a comparison result is indicative ofother than a match, executing the file system command.

[0023] In an embodiment the method also comprises the following steps:providing an indication of a data write access privilege for the entirelogical storage medium, the data write access privilege indicative of arestriction to alteration of a same portion of each file stored on thelogical storage medium; and restricting file access to the logicalstorage medium in accordance with the indication while allowing accessto free space portions of the same logical storage medium.

[0024] In accordance with the invention there is also provided a methodof restricting access by a computer to a storage medium other than awrite once medium in communication with the computer, the methodcomprising the steps of: providing an indication of a data write accessprivilege for the entire logical storage medium indicating a disabledoperation relating to alteration of a portion of each file stored withinthe logical storage medium, the indication other than a read onlyindication; and, restricting file access to each file within the logicalstorage medium in accordance with the same indication while allowingaccess to free space portions of the same logical storage medium. In anembodiment the indication comprises at least one of the following: writeaccess without delete, write access without rename; write access withoutoverwrite, and write access without changing file access privileges.

[0025] In accordance with the invention there is also provided a methodof restricting access by a computer to a storage medium other than awrite once medium in communication with the computer, the methodcomprising the steps of: providing an indication of a data write accessprivilege for the entire logical storage medium indicating a disabledoperation relating to alteration of data within the logical storagemedium, the indication other than a read only indication, the disabledoperations supported by the storage medium; and restricting write accessto data within the logical storage medium in accordance with the sameindication while allowing access to free space portions of the samelogical storage medium. A logical storage medium consists of a singlephysical storage medium or a single partition within a storage medium.Typically a disabled operation relates to destruction of data storedwithin a storage medium. Operations of this type include delete file,overwrite file, and rename file.

[0026] The present invention is preferably applied to removable storagemedia and more preferably to optical storage media such as removableoptical rewritable disks.

[0027] According to an aspect of the present invention, restricted writeaccess privileges for data stored within a data storage medium aresupported. Advantageously, access privileges of this type allow writeaccess to storage media or data files but limit that access in certainrespects. These restrictions permit some level of control over a storagemedium while providing some write privileges.

BRIEF DESCRIPTION OF THE DRAWINGS

[0028] Exemplary embodiments of the invention will now be described inconjunction with the drawings in which:

[0029]FIG. 1 is a simplified block diagram of an NT® operating systemarchitecture during a process of opening a file is shown;

[0030]FIG. 2 is a simplified block diagram of an NT® operating systemarchitecture during a process of IRP processing is shown;

[0031]FIG. 3 is a simplified block diagram of an operating systemaccording to the invention;

[0032]FIG. 4 is a simplified block diagram of a system for opening afile such as that shown in FIG. 1 modified according to the invention;

[0033]FIG. 5 is a simplified flow diagram of a method of storing data ina storage medium forming part of a system such as that of FIG. 1;

[0034]FIG. 6 is a simplified flow diagram of a method of providingsoftware settable access privileges within Windows NT®; and,

[0035]FIG. 7 is a simplified block diagram of the invention wherein thefile system layer includes means for performing the functions of thetrap layer.

DETAILED DESCRIPTION OF THE INVENTION

[0036] Referring to FIG. 1, a simplified block diagram of a Windows NT®(NT) operating system architecture during a process of opening a file isshown. NT drivers are hidden from end users by an NT protected subsystemthat implements an already familiar NT programming interface. Devicesare visible only as named file objects controlled by the NT Input/Output(IO) Manager to user-mode programs including protected subsystems.

[0037] An NT protected subsystem, such as the Win32® subsystem, passesIO requests to the appropriate kernel-mode driver through the IO systemservices. A protected subsystem insulates its end users and applicationsfrom having to know anything about kernel-mode components, including NTdrivers. In turn, the NT IO Manager insulates protected subsystems fromhaving to know anything about machine specific device configurations orabout NT driver implementations.

[0038] The NT IO Manager's layered approach also insulates most NTdrivers from having to know anything about the following: whether an IOrequest originated in any particular protected subsystem, such as Win32or POSIX; whether a given protected subsystem has particular kinds ofuser-mode drivers; and, the form of any protected subsystem's IO modeland interface to drivers.

[0039] The IO Manager supplies NT drivers with a single IO model, a setof kernel-mode support routines. These drivers carry out IO operations,and a consistent interface between the originator of an IO request andthe NT drivers that respond to it results. File system requests are aform of IO request.

[0040] A subsystem and its native applications access an NT driver'sdevice or a file on a mass-storage device through file object handlessupplied by the NT IO Manager. A subsystem's request to open such a fileobject and to obtain a handle for IO to a device or a data file is madeby calling the NT IO system services to open a named file, which has,for example, a subsystem-specific alias (symbolic link) to thekernel-mode name for the file object.

[0041] The NT IO Manager, which exports these system services, is thenresponsible for locating or creating the file object that represents thedevice or data file and for locating the appropriate NT driver(s).

[0042] The system follows a process described below in accordance withFIG. 1 for performing a file open operation. The subsystem calls an NTIO system service to open a named file. The NT IO Manager calls theObject Manager to look up the named file and to help it resolve anysymbolic links for the file object. It also calls the Security ReferenceMonitor to check that the subsystem has the correct access rights toopen that file object.

[0043] If the volume is not yet mounted, the IO Manager suspends theopen request, calling one or more NT file systems until one of themrecognises the file object as some thing it has stored on one of themass storage devices the file system uses. When the file system hasmounted the volume, the IO Manager resumes the request.

[0044] The IO Manager allocates memory (a RAM Cache) for and initialisesan IRP (IO request packet) for the open request. To NT drivers, an openis equivalent to a “create” request. The IO Manager calls the filesystem driver, passing it the IRP. The file system driver accesses itsIO stack location in the IRP to determine what operation to carry out,checks parameters, determines if the requested file is in cache memory,and, if not sets up the next lower driver's IO stack location in theIRP.

[0045] Both drivers process the IRP and complete the requested IOoperation, calling kernel-mode support routines supplied by the IOManager and by other NT components. The drivers return the IRP to the IOManager with the IO status block set in the IRP to indicate whether therequested operation succeeded and/or why it failed. The IO Manager getsthe IO status from the IRP, so it can return status information throughthe protected subsystem to the original caller. The IO Manager frees thecompleted IRP.

[0046] The IO Manager returns a handle for the file object to thesubsystem if the open operation was successful. If there was an error,it returns appropriate status information to the subsystem.

[0047] After a subsystem successfully opens a file object thatrepresents a data file, a device, or a volume, the subsystem uses thereturned file object handle to request that device for IO operationstypically in the form of read, write, or device IO control requests.These operations are carried out by calling the IO System services. TheIO Manager routes these requests as IRPs sent to appropriate NT drivers.

[0048] Referring to FIG. 2, a simplified block diagram of an NT®operating system architecture during a process of IRP processing isshown. The IO Manager calls the file system driver (FSD) with the IRP ithas allocated for the subsystem's read/write request. The FSD accessesits IO stack location in the IRP to determine what operation it shouldcarry out.

[0049] The FSD sometimes breaks the originating request into smallerrequests by calling an IO support routine one or more times to allocateIRPs, which are returned to the FSD with zero-filled IO stacklocation(s) for lower-level driver(s). At its discretion, the FSD canreuse the original IRP, rather than allocating additional IRPs as shownin FIG. 2, by setting up the next-lower driver's IO allocation in theoriginal IRP and passing it on to lower drivers.

[0050] For each driver-allocated IRP, the FSD calls an IO supportroutine to register an FSD-supplied completion routine so the driver isable to determine whether a lower driver satisfied the request and freeeach driver allocated IRP when lower drivers have completed it. The IOManager calls the FSD-supplied completion routine whether eachdriver-allocated IRP is completed successfully, with an error status, orcancelled. A higher-level NT driver is responsible for freeing any IRPit allocates and sets up on its own behalf for lower-level drivers. TheIO Manager frees the IRPs that it allocates after all NT drivers havecompleted them. Next, the FSD calls an IO support routine to access thenext lower-level driver's IO stack location in its FSD-allocated IRP inorder to set up the request for the next-lower driver, which happens tobe the lowest-level driver in FIG. 2. The FSD then calls an IO supportroutine to pass that IRP on to the next driver.

[0051] When it is called with the IRP, the physical device driver checksits IO stack location to determine what operation (indicated by the IRPMJ XXX function code) it should carry out on the target device, which isrepresented by the device object in its IO stack location and passedwith the IRP to the driver. This driver can assume that the IO Managerhas routed the IRP to an entry point that the driver defined for theIRP—MJ XXX operation (here IRP MJ READ or IRP MJ WRITE) and that thehigher-level driver has checked the validity of other parameters for therequest.

[0052] If there were no higher-level driver, such a device driver wouldcheck whether the input parameters for an IRP MJ XXX operation arevalid. If they are, a device driver usually calls IO support routines totell the IO Manager that a device operation is pending on the IRP and toeither queue or pass the IRP on to another driver-supplied routine thataccesses the target device in the form of a physical or logical devicesuch as a disk or a partition on a disk.

[0053] The IO Manager determines whether the device driver is alreadybusy processing another IRP for the target device, queues the IRP if itis, and returns. Otherwise, the IO Manager routes the IRP to adriver-supplied routine that starts the IO operation on its device.

[0054] When the device interrupts. the driver's interrupt serviceroutine {ISR) does only as much work BS as is necessary to stop thedevice from interrupting and to save necessary context about theoperation. The ISR then calls an IO support routine with the IRP toqueue a driver-supplied DPC routine to complete the requested operationat a lower hardware priority than the ISR.

[0055] When the driver's DPC gets control, it uses the context as passedin the ISRs call to IoRequestDpc to complete the IO operation. The DPCcalls a support routine to dequeue the next IRP when present and to passthat IRP on to the driver-supplied routine that starts IO operations onthe device. The DPC then sets status about the just completed operationin the IRPs IO status block and returns it to the IO Manager withIoCompleteRequest.

[0056] The IO Manager zeroes the lowest-level driver's IO stack locationin the IRP and calls the file system's registered completion routinewith the FSD-allocated IRP. This completion routine checks the IO statusblock to determine whether to retry the request or to update anyinternal state maintained about the original request and to free itsdriver-allocated IRP. The file system often collects status Informationfor all driver-allocated IRPs it sends to lower-level drivers in orderto set IO status and complete the original IRP. When it has completedthe original IRP, the IO Manager returns NT status, the subsystem'snative function, to the original requestor of the IO operation.

[0057]FIG. 2 also shows two IO stack locations in the original IRPbecause it shows two NT drivers, a file system driver and a mass-storagedevice driver. The IO Manager gives each driver in a chain of layered NTdrivers an IO stack location of its own in every IRP that it sets up.The driver-allocated IRPs do not necessarily have a stack location forthe FSD that created them. Any higher-level driver that allocates IRPsfor lower-level drivers also determines how many IO stack locations thenew IRPs should have, according to the StackSize value of the next-lowerdriver's device object.

[0058] An NT file system driver accesses the file object through its IOstack location in IRPs. Other NT drivers usually ignore the file object.

[0059] The set of IRP major and minor function codes that a particularNT driver handles are sometimes device-type-specific. However, NT deviceand intermediate drivers usually handle the following set of basicrequests:

[0060] IRP MJ CREATE—open the target device object, indicating that itis present and available for IO operations;

[0061] IRP MJ READ—transfer data from the device;

[0062] IRP MJ WRITE—transfer data to the device;

[0063] IRP MJ DEVICE CONTROL—set up or reset the device according to asystem-defined, device-specific IO control code; and

[0064] IRP MJ CLOSE—close the target device object.

[0065] In general, the IO Manager sends IRPs with at least two IO stacklocations to device drivers of mass-storage devices because an NT filesystem is layered over NT drivers for mass-storage devices. The IOManager sends IRPs with a single stack location to any physical devicedriver that has no driver layered above it.

[0066] Referring to FIG. 3, a block diagram of an operating system isshown. The block diagram presents a simplified view of operating systemfunctionality according to the invention. An application layer forsupporting application execution communicates with an input/output layerof the computer. The input/output layer includes a display and a filesystem layer. The application layer communicates with the file systemlayer for performing read operations and write operations with storagemedia. Disposed between the application layer and the file system layeris a trap layer also referred to as a filter layer. Each file systemaccess request that is transmitted from the application layer to thefile system layer is intercepted by the trap layer. In the trap layerrestrictions relating to access privileges are implemented. For example,some requests are blocked and error messages are returned to theapplication layer. Other requests are modified and the modified requestpassed onto the file system. When a data store is read only, a requestto open a file for read write access is modified to an open file forread-only access; a request to delete a file is blocked and an errormessage is returned. The use of a trap layer is applicable when thepresent invention is implemented within an existing operating systemsuch as Windows NT®. Alternatively, an operating system supportingrestricted write access is designed and restrictions relating to accessprivileges are implemented within the file system layer.

[0067] Referring to FIG. 4, a simplified block diagram of opening a filewithin Windows NT® according to the invention is shown. The diagram isbased on the diagram of FIG. 1. The thick black line represents the traplayer or filter layer for preventing some file system operations frompassing from the application layer to the file system layer.Accordingly, a data store device operates as a read/write device with asingle device driver. The trap layer prevents write operations or,alternatively, other predetermined operations from being performed on aspecific data store. The trap layer achieves this by blocking somerequests and by modifying other requests. In this way, some operationsare prevented without requiring modifications to existing applications.Thus, one data store may be read only while another is read/write.Unlike prior art implementations, an application requesting a writeoperation to a data store that is read-only, receives an accurate andappropriate error message. There is no data lost by the device driverand, in fact, the device driver is freed of the trouble of dealing withfile system commands which cannot be completed.

[0068] Also, the use of the trap layer allows for implementation of morecomplicated file access privileges based on data stored within eachindividual storage medium. For example, a storage medium may indicateread-write access but may not support delete operations. Device driversperform low level commands such as read and write. Delete, is a writeoperation, the device driver performing write operations to obfuscate ofoverwrite a file. As is evident, the device driver supports deleteoperations as does any read/write data store. However, by indicating tothe trap layer that delete operations are not supported, all deleterequests passed from the application layer for the specific data storeare intercepted by the trap layer and an error message is returned tothe application layer. No delete operation for a file is passed to thefile system layer and therefore, the device driver does not perform thewrite operations for obfuscating or overwriting the file because none isreceived. It is evident that preventing file deletion is advantageousfor protecting archived data and data histories.

[0069] Another operation which is advantageously restricted isoverwriting of files. When a request is made to overwrite a file,typically the data within the file is overwritten. Overwriting of filedata is a simple work around to perform a file delete when thatoperation is blocked. Alternatively in some devices, the data tooverwrite is written to an unused portion of a storage medium and anaddress of the file data within a file allocation table is changed. Thestorage locations of the old file data are then considered free.Preventing data overwrite is performed according to the invention bymodifying requests or blocking requests as necessary. Further, bytrapping requests to overwrite file data according to the invention, auser friendly error message becomes possible. When an applicationprovides a request to overwrite a file, an error message indicating thatoverwrite is not permitted and that a file name is needed to save thedata is provided. The trap layer, upon receiving the file name from theerror message, modifies the request in accordance therewith and inaccordance with permitted operations and passes the modified request tothe file system layer. Accordingly, data integrity is preserved withminimal inconvenience to users of the system.

[0070] It is also useful to restrict access to file access permissions.Often, permissions are global across a storage medium and altering ofthe permissions is not desirable. Still, many operating systems providefor file and storage medium related access privileges. These aremodifiable at any time. Since privileges are generally static, there areadvantages to setting up privileges for a storage medium such thatduring normal operation and with normal file system operations, theprivileges are static. Preferably, there is at least a way to modify theglobal privileges in case it is desirable to do so. Preventingalteration of privileges prevents individuals having access to filesfrom modifying access privileges in any way.

[0071] Another operation that is usefully restricted is overwriting ofzero length files. Some operations within some applications create azero length file and then overwrite it. Thus preventing overwriting ofzero length files directly affects those applications. An example ofsuch an application and operation is the “save as” command in MicrosoftWord®. Thus, preventing overwriting of zero length files effectivelyprevents “save as” from functioning on the associated medium.

[0072] Similarly, renaming a file is useful for obfuscating data.Preventing renaming of files prevents hiding existing files or makingthem more difficult to locate. For example, changing a client'sinformation file name from “Client 101 Information” to “To Do February18” would make the file hard to locate. Thus, rename is an operationthat it is desirable to restrict. Reasons for restricting the otherlisted operations are evident. Further, restricting other operations mayalso be advantageous and the present application is not limited to theseoperations.

[0073] Above mentioned operations which are advantageously restrictedinclude overwriting files, changing file access permissions and mediumaccess privileges, renaming files, formatting a medium and so forth. Forexample, a medium that does not allow any of the above mentionedoperations provides a complete archival history of the medium's contentand prevents alteration or deletion of the data. Such a medium is veryuseful for backing up office files or electronic mail.

[0074] Referring to FIG. 5, a flow diagram of a method of storing datain a storage medium forming part of a system such as that of FIG. 3 isshown. An application in execution on the system seeks to store a datafile on a storage medium within the file system layer of the system. Arequest and data for storage within the file is transmitted from theapplication layer to the file system layer. The request includes anoperation and data relating to a destination storage medium on which tostore the data. The trap layer intercepts the request and the data anddetermines whether the storage medium selected supports the operation.When the storage medium supports the operation, the request and the datais passed on to the file system layer. When necessary, the request ismodified prior to provision to the file system layer. In the file systemlayer the operation is conducted according to normal file system layerprocedures. When the storage medium does not support the operation inits original or a modified form, the trap layer returns an indication ofthis to the application layer. The operation and the data are not passedonto the file system layer. This provides additional access privilegefunctionality.

[0075] Referring to FIG. 6, a simplified flow diagram of a method ofproviding software settable access privileges within Windows NT® isshown. A storage medium is mounted within a computer system. The storagemedium has stored thereon data relating to access privileges for thestorage medium. Upon mounting the storage medium, data relating tophysical limitations of the read/write device are loaded into the devicedriver for that device within the file system layer. The limitations arerecognised by the system software. Also upon mounting the storagemedium, the data relating to access privileges for the storage mediumare loaded into the trap layer. The trap layer limits operationsperformed on the storage medium to those supported by the read/writedevice by limiting the requests passed onto the file system layer or,when the trap layer forms part of the file system layer, by filteringand/or modifying the requests. The data relating to access privilegesfor the storage medium are used to limit those requests provided to thefile system layer.

[0076] When the storage medium is a data store for archiving purposes,there are evident advantages to treating the storage medium as aread-only storage medium. For example, once the data store is full,setting it to read-only allows its use without risking tampering oraccidental modification. Therefore, media specific access privileges areadvantageous.

[0077] Referring to FIG. 7, a simplified block diagram of the inventionwherein the file system layer includes means for performing thefunctions of the trap layer is shown. Such an embodiment, operates in asimilar fashion to those described above. The file system receives allfile access requests and compares them to those that are not permitted.When an access command is not permitted on an indicated storage medium,an error message is returned to the application layer. When an accesscommand is permitted, it is performed on the appropriate storage medium.The access command may be that requested or, alternatively, a modifiedform of the requested command resulting in a supported operation.

[0078] The term logical storage medium is used herein and in the claimthat follow to designate either a physical storage medium or a portionof physical storage medium that is treated by the operating system as aseparate storage medium. Thus, a partitioned hard disk with twopartitions consists of one physical storage medium and two logicalstorage media.

[0079] Numerous other embodiments of the invention may be envisagedwithout departing from the spirit and scope of the invention.

What is claimed is:
 1. A method of providing restricted access to astorage medium in communication with a computer comprising the step of:executing a file system layer on the computer, the file system layersupporting a plurality of file system commands; executing a trap layeron the computer, the trap layer logically disposed above the file systemlayer; providing to the trap layer at least a disabled file systemcommand relating to the storage medium and supported by the file systemfor the storage medium; intercepting data provided to the file systemlayer including an intercepted file system command; comparing theintercepted file system command to each of the at least a disabled filesystem command to produce at least a comparison result; and, when eachof the at least a comparison result is indicative of other than a match,providing the intercepted file system command to the file system layer.2. A method as defined in claim 1 comprising the steps of: providing tothe trap layer at least a modifiable file system command relating to thestorage medium and requiring modification to be supported by the filesystem for the storage medium; comparing the intercepted file systemrequest to each of the at least a modifiable file system command toproduce at least a second comparison result; and, when the at least asecond comparison result is indicative of a match, modifying the filesystem request and providing the modified file system command to thefile system layer.
 3. A method as defined in claim 2 comprising thesteps of: executing an application layer, the application layer inexecution logically above the trap layer such that the trap layer islogically disposed between the application layer and the file systemlayer; and when a comparison result from the at least a comparisonresult is indicative of a match, providing an error indication to theapplication layer.
 4. A method as defined in claim 3 wherein the errorindication is provided from the trap layer.
 5. A method as defined inclaim 4 wherein the at least a disabled file system command comprises atleast a command resulting in a write operation to the storage medium. 6.A method as defined in claim 5 wherein the at least a command comprisesat least one of a delete file command, a rename file command, a modifypermissions command, an overwrite file command and a overwrite zerolength file command.
 7. A method as defined in claim 6 wherein the atleast a command comprises a delete file command.
 8. A method as definedin claim 6 wherein the at least a command comprises a rename filecommand.
 9. A method as defined in claim 6 wherein the at least acommand comprises a modify permissions command.
 10. A method as definedin claim 6 wherein the at least a command comprises an overwrite filecommand.
 11. A method as defined in claim 6 wherein the at least acommand comprises a overwrite zero length file command.
 12. A method asdefined in claim 6 wherein the at least a disabled file system commandcomprises a set of command s including all commands resulting in a writeoperation to the storage medium.
 13. A method as defined in claim 2wherein the at least a disabled file system command is determined fromdata stored on the storage medium.
 14. A method as defined in claim 13wherein the at least a disabled file system command relates to all filesstored on the storage medium.
 15. A method as defined in claim 1 whereinthe at least a disabled file system command comprises a set of commandsincluding all commands resulting in a write operation to the storagemedium.
 16. A method of restricting access to a storage medium incommunication with a computer, the method comprising the step of:executing a file system layer on the computer, the file system layersupporting a plurality of file system commands; providing to the filesystem layer at least a disabled file system command for the storagemedium, the disabled file system command supported by the file systemfor the storage medium, the at least a disabled file system commandbeing other than all write commands, other than all read commands, andother than all write commands and all read commands; comparing filesystem requests provided to the file system layer to each of the atleast a disabled file system command to produce at least a comparisonresult; and, when each of the at least a comparison result is indicativeof other than a match, executing the file system command.
 17. A methodas defined in claim 16 comprising the steps of: providing to the filesystem layer at least a modifiable file system command relating to thestorage medium and requiring modification to be supported by the filesystem for the storage medium; comparing the intercepted file systemrequest to each of the at least a modifiable file system command toproduce at least a second comparison result; and, when the at least asecond comparison result is indicative of a match, modifying the filesystem request and providing the modified file system request to thefile system layer.
 18. A method as defined in claim 17 comprising thesteps of: executing an application layer, the application layer inexecution logically above the file system layer; and when a comparisonresult from the at least a comparison result is indicative of a match,providing an error indication to the application layer.
 19. A method asdefined in claim 18 wherein the at least a command comprises at leastone of a delete file command, a rename file command, a modifypermissions command, an overwrite file command and a overwrite zerolength file command.
 20. A method as defined in claim 19 wherein the atleast a command comprises a delete file command.
 21. A method as definedin claim 19 wherein the at least a command comprises a rename filecommand.
 22. A method as defined in claim 19 wherein the at least acommand comprises a modify permissions command.
 23. A method as definedin claim 19 wherein the at least a command comprises an overwrite filecommand.
 24. A method as defined in claim 19 wherein the at least acommand comprises a overwrite zero length file command.
 25. A method asdefined in claim 16 wherein the at least a disabled file system commandis determined from data stored on the storage medium.
 26. A method asdefined in claim 25 wherein the at least a disabled file system commandrelates to all files stored on the storage medium.
 27. A method ofrestricting access by a computer to a logical storage medium other thana write once medium in communication with the computer, the methodcomprising the steps of: providing an indication of a data write accessprivilege for the entire logical storage medium, the data write accessprivilege indicative of a restriction to alteration of a same portion ofeach file stored on the logical storage medium; and restricting fileaccess to the logical storage medium in accordance with the indicationwhile allowing access to free space portions of the same logical storagemedium.
 28. A method as defined in claim 27 comprising the steps of:writing further file data to the free space portions of the same logicalstorage medium; and, restricting file access to the further file data inaccordance with the indication while allowing access to remaining freespace portions of the same logical storage medium.
 29. A method asdefined in claim 27 wherein the indication of a data write accessprivilege is one of the following: write access without delete, writeaccess without rename; write access without overwrite, and write accesswithout changing file access privileges.
 30. A method as defined inclaim 27 wherein storage medium is a removable storage medium.
 31. Amethod of restricting access by a computer to a storage medium otherthan a write once medium in communication with the computer, the methodcomprising the steps of: providing an indication of a data write accessprivilege for the entire logical storage medium indicating a disabledoperation relating to alteration of a portion of each file stored withinthe logical storage medium, the indication other than a read onlyindication; and, restricting file access to each file within the logicalstorage medium in accordance with the same indication while allowingaccess to free space portions of the same logical storage medium.
 32. Amethod as defined in claim 31 wherein the indication comprises at leastone of the following: write access without delete, write access withoutrename; write access without overwrite, and write access withoutchanging file access privileges.
 33. A method as defined in claim 32wherein logical storage medium is a single physical storage medium andwherein a single physical storage medium consists of a single logicalstorage medium.
 34. A method as defined in claim 32 wherein storagemedium is a removable storage medium.
 35. A method of restricting accessby a computer to a storage medium other than a write once medium incommunication with the computer, the method comprising the steps of:providing an indication of a data write access privilege for the entirelogical storage medium indicating a disabled operation relating toalteration of data within the logical storage medium, the indicationother than a read only indication, the disabled operations supported bythe storage medium; and restricting write access to data within thelogical storage medium in accordance with the same indication whileallowing access to free space portions of the same logical storagemedium.